diff --git a/caps/nsScriptSecurityManager.h b/caps/nsScriptSecurityManager.h index 5400c9f2254c..f97170b145e9 100644 --- a/caps/nsScriptSecurityManager.h +++ b/caps/nsScriptSecurityManager.h @@ -81,6 +81,8 @@ class nsScriptSecurityManager final : public nsIScriptSecurityManager { bool aFromPrivateWindow, uint64_t aInnerWindowID = 0); + static uint32_t HashPrincipalByOrigin(nsIPrincipal* aPrincipal); + static bool GetStrictFileOriginPolicy() { return sStrictFileOriginPolicy; } void DeactivateDomainPolicy(); diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index 7ba51b286676..9181de826575 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -1427,9 +1427,6 @@ nsresult nsContentSecurityManager::doContentSecurityCheck( rv = CheckAllowLoadByTriggeringRemoteType(aChannel); NS_ENSURE_SUCCESS(rv, rv); - rv = CheckForIncoherentResultPrincipal(aChannel); - NS_ENSURE_SUCCESS(rv, rv); - // if dealing with a redirected channel then we have already installed // streamlistener and redirect proxies and so we are done. if (loadInfo->GetInitialSecurityCheckDone()) { @@ -1712,66 +1709,3 @@ nsContentSecurityManager::PerformSecurityCheck( inAndOutListener.forget(outStreamListener); return NS_OK; } - -nsresult nsContentSecurityManager::CheckForIncoherentResultPrincipal( - nsIChannel* aChannel) { - nsCOMPtr loadInfo = aChannel->LoadInfo(); - ExtContentPolicyType contentPolicyType = - loadInfo->GetExternalContentPolicyType(); - if (contentPolicyType != ExtContentPolicyType::TYPE_DOCUMENT && - contentPolicyType != ExtContentPolicyType::TYPE_SUBDOCUMENT && - contentPolicyType != ExtContentPolicyType::TYPE_OBJECT) { - return NS_OK; - } - - nsCOMPtr resultOrPrecursor; - nsresult rv = nsScriptSecurityManager::GetScriptSecurityManager() - ->GetChannelResultPrincipalIfNotSandboxed( - aChannel, getter_AddRefs(resultOrPrecursor)); - NS_ENSURE_SUCCESS(rv, rv); - NS_ENSURE_STATE(resultOrPrecursor); - - if (nsCOMPtr precursor = - resultOrPrecursor->GetPrecursorPrincipal()) { - resultOrPrecursor = precursor; - } - - if (!resultOrPrecursor->GetIsContentPrincipal()) { - return NS_OK; - } - - nsAutoCString resultSiteOriginNoSuffix; - rv = resultOrPrecursor->GetSiteOriginNoSuffix(resultSiteOriginNoSuffix); - NS_ENSURE_SUCCESS(rv, rv); - - nsCOMPtr resultSiteOriginURI; - NS_NewURI(getter_AddRefs(resultSiteOriginURI), resultSiteOriginNoSuffix); - NS_ENSURE_STATE(resultSiteOriginURI); - - nsCOMPtr channelURI; - aChannel->GetURI(getter_AddRefs(channelURI)); - NS_ENSURE_STATE(channelURI); - - nsCOMPtr channelUriPrincipal = - BasePrincipal::CreateContentPrincipal(channelURI, {}); - NS_ENSURE_STATE(channelUriPrincipal); - - nsAutoCString channelUriSiteOrigin; - rv = channelUriPrincipal->GetSiteOriginNoSuffix(channelUriSiteOrigin); - NS_ENSURE_SUCCESS(rv, rv); - - nsCOMPtr channelSiteOriginURI; - NS_NewURI(getter_AddRefs(channelSiteOriginURI), channelUriSiteOrigin); - NS_ENSURE_STATE(channelSiteOriginURI); - - if (nsScriptSecurityManager::IsHttpOrHttpsAndCrossOrigin( - resultSiteOriginURI, channelSiteOriginURI) || - (!net::SchemeIsHTTP(resultSiteOriginURI) && - !net::SchemeIsHTTPS(resultSiteOriginURI) && - (net::SchemeIsHTTP(channelSiteOriginURI) || - net::SchemeIsHTTPS(channelSiteOriginURI)))) { - return NS_ERROR_CONTENT_BLOCKED; - } - - return NS_OK; -} diff --git a/dom/security/nsContentSecurityManager.h b/dom/security/nsContentSecurityManager.h index 45757a973c15..17d42e9676f0 100644 --- a/dom/security/nsContentSecurityManager.h +++ b/dom/security/nsContentSecurityManager.h @@ -87,7 +87,6 @@ class nsContentSecurityManager : public nsIContentSecurityManager, static nsresult CheckAllowLoadInPrivilegedAboutContext(nsIChannel* aChannel); static nsresult CheckChannelHasProtocolSecurityFlag(nsIChannel* aChannel); static bool CrossOriginEmbedderPolicyAllowsCredentials(nsIChannel* aChannel); - static nsresult CheckForIncoherentResultPrincipal(nsIChannel* aChannel); virtual ~nsContentSecurityManager() = default; };